The present invention relates to network technology. More specifically, this invention relates to mechanisms for performing encryption for data at rest at a port of a network device.
Security of data is typically achieved through encryption of the data. While data is often encrypted to secure the data during its transmission, data may also be encrypted in order to secure the data once it has been stored. Encryption of data that is stored on a storage medium is typically referred to as encryption of data-at-rest (EAR). Specifically, the data that is stored on the storage medium remains encrypted after it has been stored. There are a number of approaches to encrypting data-at-rest.
One approach to performing encryption of data-at-rest that is implemented by a number of products is to encrypt data at a network appliance responsible for encrypting data received from a source network device prior to providing the encrypted data to a storage medium. In a network such as a Storage Area Network (SAN) in which numerous storage devices are supported, the network appliance is typically responsible for the encryption of data received from multiple sources. Within such a network appliance, encryption is often performed by a hardware-accelerated encryptor. Since this single encryptor must service numerous sources, the performance of the network appliance is limited.
Another approach to encrypting data-at-rest that is commonly applied is to perform encryption at the source network device that is generating the data, or at the storage medium that will store the data. In these approaches, encryption is performed in software, since hardware acceleration would significantly impact the cost of the encrypting source network device or storage medium.
While these approaches can provide a viable solution for encryption of data, these approaches afford limited throughput and higher cost. For instance, existing network appliances encrypt data with a throughput of several hundred megabits per second. While these approaches are sufficient to service a limited number of storage media, there is currently no solution for pervasive protection of storage data-at-rest that can afford wire-speed protection to an entire set of storage media in a multi-gigabit SAN.
For those customers who want to encrypt all of their storage, the existing solutions are insufficient to address this requirement. Specifically, existing solutions for performing encryption at a network appliance do not scale to address this requirement, while solutions for performing encryption at the source or destination network devices are not economically feasible.
In view of the above, it would be desirable if a scalable, economical approach to encrypting data at rest could be developed.